IAM privilege escalation via undocumented CodeStar API

Published Tue, Jun 18th, 2019


The AWS CodeStar service had an undocumented API (codestar:CreateProjectFromTemplate) that allowed users with broadly-scoped CodeStar permissions to create a CodeStar project. As part of the creation process, AWS would create a new CodeStarWorker IAM policy & attach it to the user making the call. This policy granted full access to over 50 AWS services, including iam:AttachRolePolicy, iam:AttachUserPolicy and iam:PutRolePolicy permissions, which would allow the user to escalate to full administrator access. Following disclosure, AWS removed the majority of access granted by the CodeStarWorker policy, but this is still a viable escalation path if there are other misconfigurations in the environment.

Affected Services



If not using the CodeStar service, ensure that the “aws-codestar-service-role” is removed from all your accounts. Apply principle of least privilege to all CodeStar-related resources to ensure the codestar:CreateProjectFromTemplate permission is only granted when absolutely necessary. Implement monitoring on any users with access to the codestar:CreateProject and iam:PassRole actions to detect potential escalation attempts.

Tracked CVEs

No tracked CVEs


Disclosure Date
Tue, Mar 19th, 2019
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Spencer Gietzen, Rhino Security Labs